Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error 451 when transfering certain files using FTPS\TLS1.3 #13507

Open
laser73 opened this issue Apr 30, 2024 · 1 comment
Open

Error 451 when transfering certain files using FTPS\TLS1.3 #13507

laser73 opened this issue Apr 30, 2024 · 1 comment
Labels
FTP

Comments

@laser73
Copy link

laser73 commented Apr 30, 2024
edited

I did this

Attempting to transfer an HTML file generated by the application I'm working to a FTP server that forces the use of TLSv1.3 using this command line results in a 451 error (I changed the file name extension to .txt since it is not possible to attach .html files here, but that makes no difference). Other servers don't exhibit this issue but unfortunately more have started to recently, possibly as they move to forcing TLSv1.3.

curl -vk -T Introduction.txt --ssl ftp://SERVER/XaraTest/Introduction.txt -p -u USER:PASS

Other files always work for example FrogFind.txt.

Introduction.txt
FrogFind.txt

The server belongs to a hosting provider, so we are unable to debug from the remote end. We are also seeing the same issue using libcurl directly from our application to transfer files to hosting providers, but I'm supplying details for the curl command line utility since that removes any issues with our application. This may be the same issue as #8443, but it is still happening with the latest version in Debian. From the debug trace it looks like the whole file is transferred, but the server is then failing.

The debug trace for the failing transfer is:


  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host SERVER:21 was resolved.
* IPv6: (none)
* IPv4: 69.27.102.4
*   Trying 69.27.102.4:21...
* Connected to SERVER (69.27.102.4) port 21
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 2 of 50 allowed.
< 220-Local time is now 06:38. Server port: 21.
< 220-This is a private system - No anonymous login
< 220-IPv6 connections are also welcome on this server.
< 220 You will be disconnected after 15 minutes of inactivity.
> AUTH SSL
< 500 This security scheme is not implemented
> AUTH TLS
< 234 AUTH TLS OK.
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [88 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [155 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [10 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2593 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / secp256r1 / RSASSA-PSS
* Server certificate:
*  subject: CN=cp1024.blacksun.ca
*  start date: Mar 16 15:38:17 2024 GMT
*  expire date: Jun 14 15:38:16 2024 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
} [5 bytes data]
> USER USER
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [249 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [249 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
< 331 User bwood OK. Password required
} [5 bytes data]
> PASS PASS
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0{ [5 bytes data]
< 230 OK. Current restricted directory is /
} [5 bytes data]
> PBSZ 0
{ [5 bytes data]
< 200 PBSZ=0
} [5 bytes data]
> PROT P
{ [5 bytes data]
< 200 Data protection level set to "private"
} [5 bytes data]
> PWD
{ [5 bytes data]
< 257 "/" is your current location
* Entry path is '/'
} [5 bytes data]
> CWD XaraTest
* ftp_perform ends with SECONDARY: 0
{ [5 bytes data]
< 250 OK. Current directory is /XaraTest
} [5 bytes data]
> EPSV
* Connect data stream passively
{ [5 bytes data]
< 229 Extended Passive mode OK (|||34862|)
* Connecting to 69.27.102.4 (69.27.102.4) port 34862
*   Trying 69.27.102.4:34862...
* Connected 2nd connection to 69.27.102.4 port 34862
* SSL reusing session ID
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [610 bytes data]
> TYPE I
{ [5 bytes data]
< 200 TYPE is now 8-bit binary
} [5 bytes data]
> STOR Introduction.txt
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0{ [5 bytes data]
< 150 Accepted data connection
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [88 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [643 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [161 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [6 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / secp256r1 / UNDEF
* Server certificate:
*  subject: CN=cp1024.blacksun.ca
*  start date: Mar 16 15:38:17 2024 GMT
*  expire date: Jun 14 15:38:16 2024 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
} [5 bytes data]
* upload completely sent off: 49566 bytes
* Remembering we are in dir "XaraTest/"
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, close notify (256):
} [2 bytes data]
< 451-Error during read from data connection
{ [5 bytes data]
< 451 Transfer aborted
* server did not report OK, got 451
100 49566    0     0  100 49566      0  21467  0:00:02  0:00:02 --:--:-- 21475
* Connection #0 to host SERVER left intact

curl -V yields

curl 8.7.1 (x86_64-pc-linux-gnu) libcurl/8.7.1 OpenSSL/3.2.2 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.7 libpsl/0.21.2 libssh2/1.11.0 nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.5.13
Release-Date: 2024-03-27, security patched: 8.7.1-3
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

lsb_release -a yields

No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux trixie/sid
Release:        n/a
Codename:       trixie

I expected the following

The transfer to complete.

curl/libcurl version

curl 8.7.1

operating system

Debian GNU/Linux trixie/sid fully up to data running in WSL2.
@bagder bagder added the FTP label Apr 30, 2024
@icing
Copy link
Contributor

icing commented May 10, 2024

Can you produce a log by adding --trace-config ids,time,ssl to the command line? That would give us more information about what was happening on each tcp connection. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FTP
Milestone
No milestone
Development

No branches or pull requests
3 participants
@icing @bagder @laser73